Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach

Saad Khan, Simon Parkinson

Research output: Contribution to journalArticle

Abstract

Vulnerability assessment and security configuration activities are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system’s event logs provide historical information depicting potential security breaches, as well as recording configuration activities. However, identifying and utilising knowledge within the event logs is challenging for the non-expert. In this paper, a novel technique is developed to process security event logs of a computer that has been assessed and configured by a security professional, extract key domain knowledge indicative of their expert decision making, and automatically apply learnt knowledge to previously unseen systems by non-experts. The technique converts event log entries into an object-based model and dynamically extracts associative rules. The rules are further improved in terms of quality using a temporal metric to autonomously establish temporal-association rules and acquire a domain model of expert configuration tasks. The acquired domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system’s security. Empirical analysis is subsequently performed on 20 event logs, where identified plan traces are discussed in terms of accuracy and performance.
LanguageEnglish
Pages116-127
Number of pages12
JournalExpert Systems with Applications
Volume113
Early online date3 Jul 2018
DOIs
Publication statusPublished - 15 Dec 2018

Fingerprint

Association rules
Planning
Security systems
Decision making

Cite this

@article{c305b1ac9fd646619b256620c3c5ca0a,
title = "Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach",
abstract = "Vulnerability assessment and security configuration activities are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system’s event logs provide historical information depicting potential security breaches, as well as recording configuration activities. However, identifying and utilising knowledge within the event logs is challenging for the non-expert. In this paper, a novel technique is developed to process security event logs of a computer that has been assessed and configured by a security professional, extract key domain knowledge indicative of their expert decision making, and automatically apply learnt knowledge to previously unseen systems by non-experts. The technique converts event log entries into an object-based model and dynamically extracts associative rules. The rules are further improved in terms of quality using a temporal metric to autonomously establish temporal-association rules and acquire a domain model of expert configuration tasks. The acquired domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system’s security. Empirical analysis is subsequently performed on 20 event logs, where identified plan traces are discussed in terms of accuracy and performance.",
keywords = "Security Event Logs, Association Rule Mining, Temporal ordering, Automated Knowledge Acquisition, Automated Planning",
author = "Saad Khan and Simon Parkinson",
year = "2018",
month = "12",
day = "15",
doi = "10.1016/j.eswa.2018.07.006",
language = "English",
volume = "113",
pages = "116--127",
journal = "Expert Systems with Applications",
issn = "0957-4174",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Eliciting and utilising knowledge for security event log analysis

T2 - Expert Systems with Applications

AU - Khan, Saad

AU - Parkinson, Simon

PY - 2018/12/15

Y1 - 2018/12/15

N2 - Vulnerability assessment and security configuration activities are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system’s event logs provide historical information depicting potential security breaches, as well as recording configuration activities. However, identifying and utilising knowledge within the event logs is challenging for the non-expert. In this paper, a novel technique is developed to process security event logs of a computer that has been assessed and configured by a security professional, extract key domain knowledge indicative of their expert decision making, and automatically apply learnt knowledge to previously unseen systems by non-experts. The technique converts event log entries into an object-based model and dynamically extracts associative rules. The rules are further improved in terms of quality using a temporal metric to autonomously establish temporal-association rules and acquire a domain model of expert configuration tasks. The acquired domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system’s security. Empirical analysis is subsequently performed on 20 event logs, where identified plan traces are discussed in terms of accuracy and performance.

AB - Vulnerability assessment and security configuration activities are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system’s event logs provide historical information depicting potential security breaches, as well as recording configuration activities. However, identifying and utilising knowledge within the event logs is challenging for the non-expert. In this paper, a novel technique is developed to process security event logs of a computer that has been assessed and configured by a security professional, extract key domain knowledge indicative of their expert decision making, and automatically apply learnt knowledge to previously unseen systems by non-experts. The technique converts event log entries into an object-based model and dynamically extracts associative rules. The rules are further improved in terms of quality using a temporal metric to autonomously establish temporal-association rules and acquire a domain model of expert configuration tasks. The acquired domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system’s security. Empirical analysis is subsequently performed on 20 event logs, where identified plan traces are discussed in terms of accuracy and performance.

KW - Security Event Logs

KW - Association Rule Mining

KW - Temporal ordering

KW - Automated Knowledge Acquisition

KW - Automated Planning

U2 - 10.1016/j.eswa.2018.07.006

DO - 10.1016/j.eswa.2018.07.006

M3 - Article

VL - 113

SP - 116

EP - 127

JO - Expert Systems with Applications

JF - Expert Systems with Applications

SN - 0957-4174

ER -